- Kernel - mailweb.openeuler.org

[PATCH OLK-5.10 0/2] A small fix for ftrace preemption count
by Tengda Wu 28 Jun '25

28 Jun '25

This patch series is going to correct ftrace preemption count. pengdonglin (2): ftrace: Fix preemption accounting for stacktrace filter command ftrace: Fix preemption accounting for stacktrace trigger command kernel/trace/trace_events_trigger.c | 2 +- kernel/trace/trace_functions.c | 6 +----- 2 files changed, 2 insertions(+), 6 deletions(-) -- 2.34.1

2 3

[openeuler:OLK-5.10 2989/2989] drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:1879:17: error: implicit declaration of function '__symbol_put'; did you mean '__symbol_get'?
by kernel test robot 28 Jun '25

28 Jun '25

tree: https://gitee.com/openeuler/kernel.git OLK-5.10 head: c245365237da527fb423d85e7ec54648113f843d commit: 79871cd2cd720225eb582c9ed49fb4a96a270b3b [2989/2989] net/hinic3: Synchronize new NIC features and bug fixes config: x86_64-buildonly-randconfig-006-20250628 (https://download.01.org/0day-ci/archive/20250628/202506281459.uUU3BKjw-lkp@…) compiler: gcc-12 (Debian 12.2.0-14+deb12u1) 12.2.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250628/202506281459.uUU3BKjw-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202506281459.uUU3BKjw-lkp@intel.com/ All errors (new ones prefixed by >>): drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:103:6: warning: no previous prototype for 'hinic3_uld_lock_init' [-Wmissing-prototypes] 103 | void hinic3_uld_lock_init(void) | ^~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:525:5: warning: no previous prototype for 'hinic3_pdev_is_virtfn' [-Wmissing-prototypes] 525 | u32 hinic3_pdev_is_virtfn(struct pci_dev *pdev) | ^~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:785:5: warning: no previous prototype for '__set_vroce_func_state' [-Wmissing-prototypes] 785 | int __set_vroce_func_state(struct hinic3_pcidev *pci_adapter) | ^~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:826:6: warning: no previous prototype for 'slave_host_mgmt_vroce_work' [-Wmissing-prototypes] 826 | void slave_host_mgmt_vroce_work(struct work_struct *work) | ^~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:834:7: warning: no previous prototype for 'hinic3_get_roce_uld_by_pdev' [-Wmissing-prototypes] 834 | void *hinic3_get_roce_uld_by_pdev(struct pci_dev *pdev) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:1796:6: warning: no previous prototype for 'hinic3_set_func_state' [-Wmissing-prototypes] 1796 | void hinic3_set_func_state(struct hinic3_pcidev *pci_adapter) | ^~~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:1822:6: warning: no previous prototype for 'slave_host_mgmt_work' [-Wmissing-prototypes] 1822 | void slave_host_mgmt_work(struct work_struct *work) | ^~~~~~~~~~~~~~~~~~~~ drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c: In function 'slave_host_vfio_probe_delay_work': >> drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c:1879:17: error: implicit declaration of function '__symbol_put'; did you mean '__symbol_get'? [-Werror=implicit-function-declaration] 1879 | __symbol_put("migration_dev_migration_probe"); | ^~~~~~~~~~~~ | __symbol_get cc1: some warnings being treated as errors vim +1879 drivers/net/ethernet/huawei/hinic3/hw/hinic3_lld.c 1858 1859 static void slave_host_vfio_probe_delay_work(struct work_struct *work) 1860 { 1861 struct delayed_work *delay = to_delayed_work(work); 1862 struct hinic3_pcidev *pci_adapter = container_of(delay, struct hinic3_pcidev, migration_probe_dwork); 1863 struct pci_dev *pdev = pci_adapter->pcidev; 1864 int (*dev_migration_probe)(struct pci_dev *); 1865 int rc; 1866 1867 if (hinic3_func_type((struct hinic3_hwdev *)pci_adapter->hwdev) != TYPE_PF) { 1868 return; 1869 } 1870 1871 dev_migration_probe = __symbol_get("migration_dev_migration_probe"); 1872 if (!(dev_migration_probe)) { 1873 sdk_err(&pdev->dev, 1874 "Failed to find: migration_dev_migration_probe"); 1875 queue_delayed_work(pci_adapter->migration_probe_workq, 1876 &pci_adapter->migration_probe_dwork, WAIT_TIME * HZ); 1877 } else { 1878 rc = dev_migration_probe(pdev); > 1879 __symbol_put("migration_dev_migration_probe"); 1880 if (rc) { 1881 sdk_err(&pdev->dev, 1882 "Failed to __dev_migration_probe, rc:0x%x, pf migrated(%d).\n", 1883 rc, g_is_pf_migrated); 1884 } else { 1885 g_is_pf_migrated = true; 1886 sdk_info(&pdev->dev, 1887 "Successed in __dev_migration_probe, pf migrated(%d).\n", 1888 g_is_pf_migrated); 1889 } 1890 } 1891 1892 return; 1893 } 1894 -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH openEuler-1.0-LTS] erspan: do not use skb_mac_header() in ndo_start_xmit()
by Wang Liang 28 Jun '25

28 Jun '25

From: Eric Dumazet <edumazet(a)google.com> stable inclusion from stable-v4.19.280 commit da149daf821a3c05cd04f7c60776c86c5ee9685c category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC5DGJ CVE: CVE-2023-53053 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 8e50ed774554f93d55426039b27b1e38d7fa64d8 ] Drivers should not assume skb_mac_header(skb) == skb->data in their ndo_start_xmit(). Use skb_network_offset() and skb_transport_offset() which better describe what is needed in erspan_fb_xmit() and ip6erspan_tunnel_xmit() syzbot reported: WARNING: CPU: 0 PID: 5083 at include/linux/skbuff.h:2873 skb_mac_header include/linux/skbuff.h:2873 [inline] WARNING: CPU: 0 PID: 5083 at include/linux/skbuff.h:2873 ip6erspan_tunnel_xmit+0x1d9c/0x2d90 net/ipv6/ip6_gre.c:962 Modules linked in: CPU: 0 PID: 5083 Comm: syz-executor406 Not tainted 6.3.0-rc2-syzkaller-00866-gd4671cb96fa3 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/02/2023 RIP: 0010:skb_mac_header include/linux/skbuff.h:2873 [inline] RIP: 0010:ip6erspan_tunnel_xmit+0x1d9c/0x2d90 net/ipv6/ip6_gre.c:962 Code: 04 02 41 01 de 84 c0 74 08 3c 03 0f 8e 1c 0a 00 00 45 89 b4 24 c8 00 00 00 c6 85 77 fe ff ff 01 e9 33 e7 ff ff e8 b4 27 a1 f8 <0f> 0b e9 b6 e7 ff ff e8 a8 27 a1 f8 49 8d bf f0 0c 00 00 48 b8 00 RSP: 0018:ffffc90003b2f830 EFLAGS: 00010293 RAX: 0000000000000000 RBX: 000000000000ffff RCX: 0000000000000000 RDX: ffff888021273a80 RSI: ffffffff88e1bd4c RDI: 0000000000000003 RBP: ffffc90003b2f9d8 R08: 0000000000000003 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000000 R12: ffff88802b28da00 R13: 00000000000000d0 R14: ffff88807e25b6d0 R15: ffff888023408000 FS: 0000555556a61300(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000055e5b11eb6e8 CR3: 0000000027c1b000 CR4: 00000000003506f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> __netdev_start_xmit include/linux/netdevice.h:4900 [inline] netdev_start_xmit include/linux/netdevice.h:4914 [inline] __dev_direct_xmit+0x504/0x730 net/core/dev.c:4300 dev_direct_xmit include/linux/netdevice.h:3088 [inline] packet_xmit+0x20a/0x390 net/packet/af_packet.c:285 packet_snd net/packet/af_packet.c:3075 [inline] packet_sendmsg+0x31a0/0x5150 net/packet/af_packet.c:3107 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg+0xde/0x190 net/socket.c:747 __sys_sendto+0x23a/0x340 net/socket.c:2142 __do_sys_sendto net/socket.c:2154 [inline] __se_sys_sendto net/socket.c:2150 [inline] __x64_sys_sendto+0xe1/0x1b0 net/socket.c:2150 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7f123aaa1039 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 b1 14 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007ffc15d12058 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f123aaa1039 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 0000000000000000 R08: 0000000020000040 R09: 0000000000000014 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f123aa648c0 R13: 431bde82d7b634db R14: 0000000000000000 R15: 0000000000000000 Fixes: 1baf5ebf8954 ("erspan: auto detect truncated packets.") Reported-by: syzbot <syzkaller(a)googlegroups.com> Signed-off-by: Eric Dumazet <edumazet(a)google.com> Reviewed-by: Simon Horman <simon.horman(a)corigine.com> Link: https://lore.kernel.org/r/20230320163427.8096-1-edumazet@google.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Liang <wangliang74(a)huawei.com> --- net/ipv4/ip_gre.c | 4 ++-- net/ipv6/ip6_gre.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c index 6bb6373e6041..468d3064d8bd 100644 --- a/net/ipv4/ip_gre.c +++ b/net/ipv4/ip_gre.c @@ -606,7 +606,7 @@ static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev) truncate = true; } - nhoff = skb_network_header(skb) - skb_mac_header(skb); + nhoff = skb_network_offset(skb); if (skb->protocol == htons(ETH_P_IP) && (ntohs(ip_hdr(skb)->tot_len) > skb->len - nhoff)) truncate = true; @@ -615,7 +615,7 @@ static void erspan_fb_xmit(struct sk_buff *skb, struct net_device *dev) int thoff; if (skb_transport_header_was_set(skb)) - thoff = skb_transport_header(skb) - skb_mac_header(skb); + thoff = skb_transport_offset(skb); else thoff = nhoff + sizeof(struct ipv6hdr); if (ntohs(ipv6_hdr(skb)->payload_len) > skb->len - thoff) diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c index 3ac775eddf4d..19c5dbfe095b 100644 --- a/net/ipv6/ip6_gre.c +++ b/net/ipv6/ip6_gre.c @@ -963,7 +963,7 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, truncate = true; } - nhoff = skb_network_header(skb) - skb_mac_header(skb); + nhoff = skb_network_offset(skb); if (skb->protocol == htons(ETH_P_IP) && (ntohs(ip_hdr(skb)->tot_len) > skb->len - nhoff)) truncate = true; @@ -972,7 +972,7 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb, int thoff; if (skb_transport_header_was_set(skb)) - thoff = skb_transport_header(skb) - skb_mac_header(skb); + thoff = skb_transport_offset(skb); else thoff = nhoff + sizeof(struct ipv6hdr); if (ntohs(ipv6_hdr(skb)->payload_len) > skb->len - thoff) -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] kcm: close race conditions on sk_receive_queue
by Wang Liang 28 Jun '25

28 Jun '25

From: Cong Wang <cong.wang(a)bytedance.com> stable inclusion from stable-v4.19.267 commit d9ad4de92e184b19bcae4da10dac0275abf83931 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC5BV5 CVE: CVE-2022-49814 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 5121197ecc5db58c07da95eb1ff82b98b121a221 upstream. sk->sk_receive_queue is protected by skb queue lock, but for KCM sockets its RX path takes mux->rx_lock to protect more than just skb queue. However, kcm_recvmsg() still only grabs the skb queue lock, so race conditions still exist. We can teach kcm_recvmsg() to grab mux->rx_lock too but this would introduce a potential performance regression as struct kcm_mux can be shared by multiple KCM sockets. So we have to enforce skb queue lock in requeue_rx_msgs() and handle skb peek case carefully in kcm_wait_data(). Fortunately, skb_recv_datagram() already handles it nicely and is widely used by other sockets, we can just switch to skb_recv_datagram() after getting rid of the unnecessary sock lock in kcm_recvmsg() and kcm_splice_read(). Side note: SOCK_DONE is not used by KCM sockets, so it is safe to get rid of this check too. I ran the original syzbot reproducer for 30 min without seeing any issue. Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module") Reported-by: syzbot+278279efdd2730dd14bf(a)syzkaller.appspotmail.com Reported-by: shaozhengchao <shaozhengchao(a)huawei.com> Cc: Paolo Abeni <pabeni(a)redhat.com> Cc: Tom Herbert <tom(a)herbertland.com> Signed-off-by: Cong Wang <cong.wang(a)bytedance.com> Link: https://lore.kernel.org/r/20221114005119.597905-1-xiyou.wangcong@gmail.com Signed-off-by: Paolo Abeni <pabeni(a)redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Signed-off-by: Wang Liang <wangliang74(a)huawei.com> --- net/kcm/kcmsock.c | 60 +++++++---------------------------------------- 1 file changed, 8 insertions(+), 52 deletions(-) diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c index dd83837f0fbf..b581b24a358d 100644 --- a/net/kcm/kcmsock.c +++ b/net/kcm/kcmsock.c @@ -223,7 +223,7 @@ static void requeue_rx_msgs(struct kcm_mux *mux, struct sk_buff_head *head) struct sk_buff *skb; struct kcm_sock *kcm; - while ((skb = __skb_dequeue(head))) { + while ((skb = skb_dequeue(head))) { /* Reset destructor to avoid calling kcm_rcv_ready */ skb->destructor = sock_rfree; skb_orphan(skb); @@ -1080,53 +1080,18 @@ static int kcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) return err; } -static struct sk_buff *kcm_wait_data(struct sock *sk, int flags, - long timeo, int *err) -{ - struct sk_buff *skb; - - while (!(skb = skb_peek(&sk->sk_receive_queue))) { - if (sk->sk_err) { - *err = sock_error(sk); - return NULL; - } - - if (sock_flag(sk, SOCK_DONE)) - return NULL; - - if ((flags & MSG_DONTWAIT) || !timeo) { - *err = -EAGAIN; - return NULL; - } - - sk_wait_data(sk, &timeo, NULL); - - /* Handle signals */ - if (signal_pending(current)) { - *err = sock_intr_errno(timeo); - return NULL; - } - } - - return skb; -} - static int kcm_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, int flags) { + int noblock = flags & MSG_DONTWAIT; struct sock *sk = sock->sk; struct kcm_sock *kcm = kcm_sk(sk); int err = 0; - long timeo; struct strp_msg *stm; int copied = 0; struct sk_buff *skb; - timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); - - lock_sock(sk); - - skb = kcm_wait_data(sk, flags, timeo, &err); + skb = skb_recv_datagram(sk, flags, noblock, &err); if (!skb) goto out; @@ -1157,14 +1122,11 @@ static int kcm_recvmsg(struct socket *sock, struct msghdr *msg, /* Finished with message */ msg->msg_flags |= MSG_EOR; KCM_STATS_INCR(kcm->stats.rx_msgs); - skb_unlink(skb, &sk->sk_receive_queue); - kfree_skb(skb); } } out: - release_sock(sk); - + skb_free_datagram(sk, skb); return copied ? : err; } @@ -1172,9 +1134,9 @@ static ssize_t kcm_splice_read(struct socket *sock, loff_t *ppos, struct pipe_inode_info *pipe, size_t len, unsigned int flags) { + int noblock = flags & MSG_DONTWAIT; struct sock *sk = sock->sk; struct kcm_sock *kcm = kcm_sk(sk); - long timeo; struct strp_msg *stm; int err = 0; ssize_t copied; @@ -1182,11 +1144,7 @@ static ssize_t kcm_splice_read(struct socket *sock, loff_t *ppos, /* Only support splice for SOCKSEQPACKET */ - timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); - - lock_sock(sk); - - skb = kcm_wait_data(sk, flags, timeo, &err); + skb = skb_recv_datagram(sk, flags, noblock, &err); if (!skb) goto err_out; @@ -1214,13 +1172,11 @@ static ssize_t kcm_splice_read(struct socket *sock, loff_t *ppos, * finish reading the message. */ - release_sock(sk); - + skb_free_datagram(sk, skb); return copied; err_out: - release_sock(sk); - + skb_free_datagram(sk, skb); return err; } -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] qed/qed_sriov: guard against NULL derefs from qed_iov_get_vf_info
by Wang Liang 28 Jun '25

28 Jun '25

From: Daniil Tatianin <d-tatianin(a)yandex-team.ru> stable inclusion from stable-v4.19.280 commit 7742c08e012eb65405e8304d100641638c5ff882 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC5DF1 CVE: CVE-2023-53066 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit 25143b6a01d0cc5319edd3de22ffa2578b045550 ] We have to make sure that the info returned by the helper is valid before using it. Found by Linux Verification Center (linuxtesting.org) with the SVACE static analysis tool. Fixes: f990c82c385b ("qed*: Add support for ndo_set_vf_trust") Fixes: 733def6a04bf ("qed*: IOV link control") Signed-off-by: Daniil Tatianin <d-tatianin(a)yandex-team.ru> Reviewed-by: Michal Swiatkowski <michal.swiatkowski(a)linux.intel.com> Signed-off-by: David S. Miller <davem(a)davemloft.net> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Liang <wangliang74(a)huawei.com> --- drivers/net/ethernet/qlogic/qed/qed_sriov.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/drivers/net/ethernet/qlogic/qed/qed_sriov.c b/drivers/net/ethernet/qlogic/qed/qed_sriov.c index 71a7af134dd8..42f95495d06b 100644 --- a/drivers/net/ethernet/qlogic/qed/qed_sriov.c +++ b/drivers/net/ethernet/qlogic/qed/qed_sriov.c @@ -4390,6 +4390,9 @@ qed_iov_configure_min_tx_rate(struct qed_dev *cdev, int vfid, u32 rate) } vf = qed_iov_get_vf_info(QED_LEADING_HWFN(cdev), (u16)vfid, true); + if (!vf) + return -EINVAL; + vport_id = vf->vport_id; return qed_configure_vport_wfq(cdev, vport_id, rate); @@ -5125,7 +5128,7 @@ static void qed_iov_handle_trust_change(struct qed_hwfn *hwfn) /* Validate that the VF has a configured vport */ vf = qed_iov_get_vf_info(hwfn, i, true); - if (!vf->vport_instance) + if (!vf || !vf->vport_instance) continue; memset(&params, 0, sizeof(params)); -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS] net: usb: smsc95xx: Limit packet length to skb->len
by Wang Liang 28 Jun '25

28 Jun '25

From: Szymon Heidrich <szymon.heidrich(a)gmail.com> stable inclusion from stable-v4.19.280 commit d3c145a4d24b752c9a1314d5a595014d51471418 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IC5DDV CVE: CVE-2023-53062 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- [ Upstream commit ff821092cf02a70c2bccd2d19269f01e29aa52cf ] Packet length retrieved from descriptor may be larger than the actual socket buffer length. In such case the cloned skb passed up the network stack will leak kernel memory contents. Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver") Signed-off-by: Szymon Heidrich <szymon.heidrich(a)gmail.com> Reviewed-by: Jakub Kicinski <kuba(a)kernel.org> Link: https://lore.kernel.org/r/20230316101954.75836-1-szymon.heidrich@gmail.com Signed-off-by: Jakub Kicinski <kuba(a)kernel.org> Signed-off-by: Sasha Levin <sashal(a)kernel.org> Signed-off-by: Wang Liang <wangliang74(a)huawei.com> --- drivers/net/usb/smsc95xx.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/drivers/net/usb/smsc95xx.c b/drivers/net/usb/smsc95xx.c index 6e971628bb50..514de24a27fa 100644 --- a/drivers/net/usb/smsc95xx.c +++ b/drivers/net/usb/smsc95xx.c @@ -1943,6 +1943,12 @@ static int smsc95xx_rx_fixup(struct usbnet *dev, struct sk_buff *skb) size = (u16)((header & RX_STS_FL_) >> 16); align_count = (4 - ((size + NET_IP_ALIGN) % 4)) % 4; + if (unlikely(size > skb->len)) { + netif_dbg(dev, rx_err, dev->net, + "size err header=0x%08x\n", header); + return 0; + } + if (unlikely(header & RX_STS_ES_)) { netif_dbg(dev, rx_err, dev->net, "Error header=0x%08x\n", header); -- 2.34.1

2 1

[PATCH openEuler-1.0-LTS 0/2] CVE-2023-53125
by Wang Liang 28 Jun '25

28 Jun '25

Szymon Heidrich (2): net: usb: smsc75xx: Limit packet length to skb->len net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull drivers/net/usb/smsc75xx.c | 7 +++++++ 1 file changed, 7 insertions(+) -- 2.34.1

2 3

[PATCH OLK-6.6] x86/tdx: Fix arch_safe_halt() execution for TDX VMs
by Bowen You 28 Jun '25

28 Jun '25

From: Vishal Annapurve <vannapurve(a)google.com> stable inclusion from stable-v6.6.88 commit 29f040d4efb08497165a695f40d7049bd35f846b category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IC8J7I Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id… -------------------------------- commit 9f98a4f4e7216dbe366010b4cdcab6b220f229c4 upstream. Direct HLT instruction execution causes #VEs for TDX VMs which is routed to hypervisor via TDCALL. If HLT is executed in STI-shadow, resulting #VE handler will enable interrupts before TDCALL is routed to hypervisor leading to missed wakeup events, as current TDX spec doesn't expose interruptibility state information to allow #VE handler to selectively enable interrupts. Commit bfe6ed0c6727 ("x86/tdx: Add HLT support for TDX guests") prevented the idle routines from executing HLT instruction in STI-shadow. But it missed the paravirt routine which can be reached via this path as an example: kvm_wait() => safe_halt() => raw_safe_halt() => arch_safe_halt() => irq.safe_halt() => pv_native_safe_halt() To reliably handle arch_safe_halt() for TDX VMs, introduce explicit dependency on CONFIG_PARAVIRT and override paravirt halt()/safe_halt() routines with TDX-safe versions that execute direct TDCALL and needed interrupt flag updates. Executing direct TDCALL brings in additional benefit of avoiding HLT related #VEs altogether. As tested by Ryan Afranji: "Tested with the specjbb2015 benchmark. It has heavy lock contention which leads to many halt calls. TDX VMs suffered a poor score before this patchset. Verified the major performance improvement with this patchset applied." Fixes: bfe6ed0c6727 ("x86/tdx: Add HLT support for TDX guests") Signed-off-by: Vishal Annapurve <vannapurve(a)google.com> Signed-off-by: Ingo Molnar <mingo(a)kernel.org> Reviewed-by: Kirill A. Shutemov <kirill.shutemov(a)linux.intel.com> Tested-by: Ryan Afranji <afranji(a)google.com> Cc: Andy Lutomirski <luto(a)kernel.org> Cc: Brian Gerst <brgerst(a)gmail.com> Cc: Juergen Gross <jgross(a)suse.com> Cc: H. Peter Anvin <hpa(a)zytor.com> Cc: Linus Torvalds <torvalds(a)linux-foundation.org> Cc: Josh Poimboeuf <jpoimboe(a)redhat.com> Cc: stable(a)vger.kernel.org Link: https://lore.kernel.org/r/20250228014416.3925664-3-vannapurve@google.com Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org> Conflicts: arch/x86/coco/tdx/tdx.c [assign value to pv_ops.irq.halt is valid when CONFIG_PARAVIRT_XXL is enabled currently] Signed-off-by: Bowen You <youbowen2(a)huawei.com> --- arch/x86/Kconfig | 1 + arch/x86/coco/tdx/tdx.c | 28 +++++++++++++++++++++++++++- arch/x86/include/asm/tdx.h | 4 ++-- arch/x86/kernel/process.c | 2 +- 4 files changed, 31 insertions(+), 4 deletions(-) diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig index e4c9e582ac95..e8c26aae7057 100644 --- a/arch/x86/Kconfig +++ b/arch/x86/Kconfig @@ -889,6 +889,7 @@ config INTEL_TDX_GUEST depends on X86_64 && CPU_SUP_INTEL depends on X86_X2APIC depends on EFI_STUB + depends on PARAVIRT select ARCH_HAS_CC_PLATFORM select X86_MEM_ENCRYPT select X86_MCE diff --git a/arch/x86/coco/tdx/tdx.c b/arch/x86/coco/tdx/tdx.c index 2f67e196a2ea..a32f210c5b6d 100644 --- a/arch/x86/coco/tdx/tdx.c +++ b/arch/x86/coco/tdx/tdx.c @@ -13,6 +13,7 @@ #include <asm/ia32.h> #include <asm/insn.h> #include <asm/insn-eval.h> +#include <asm/paravirt_types.h> #include <asm/pgtable.h> #include <asm/traps.h> @@ -334,7 +335,7 @@ static int handle_halt(struct ve_info *ve) return ve_instr_len(ve); } -void __cpuidle tdx_safe_halt(void) +void __cpuidle tdx_halt(void) { const bool irq_disabled = false; @@ -345,6 +346,16 @@ void __cpuidle tdx_safe_halt(void) WARN_ONCE(1, "HLT instruction emulation failed\n"); } +static void __cpuidle tdx_safe_halt(void) +{ + tdx_halt(); + /* + * "__cpuidle" section doesn't support instrumentation, so stick + * with raw_* variant that avoids tracing hooks. + */ + raw_local_irq_enable(); +} + static int read_msr(struct pt_regs *regs, struct ve_info *ve) { struct tdx_hypercall_args args = { @@ -888,6 +899,21 @@ void __init tdx_early_init(void) x86_platform.guest.enc_cache_flush_required = tdx_cache_flush_required; x86_platform.guest.enc_tlb_flush_required = tdx_tlb_flush_required; +#ifdef CONFIG_PARAVIRT_XXL + /* + * Avoid "sti;hlt" execution in TDX guests as HLT induces a #VE that + * will enable interrupts before HLT TDCALL invocation if executed + * in STI-shadow, possibly resulting in missed wakeup events. + * + * Modify all possible HLT execution paths to use TDX specific routines + * that directly execute TDCALL and toggle the interrupt state as + * needed after TDCALL completion. This also reduces HLT related #VEs + * in addition to having a reliable halt logic execution. + */ + pv_ops.irq.safe_halt = tdx_safe_halt; + pv_ops.irq.halt = tdx_halt; +#endif /* CONFIG_PARAVIRT_XXL */ + /* * TDX intercepts the RDMSR to read the X2APIC ID in the parallel * bringup low level code. That raises #VE which cannot be handled diff --git a/arch/x86/include/asm/tdx.h b/arch/x86/include/asm/tdx.h index 603e6d1e9d4a..c632f09f0c97 100644 --- a/arch/x86/include/asm/tdx.h +++ b/arch/x86/include/asm/tdx.h @@ -46,7 +46,7 @@ void tdx_get_ve_info(struct ve_info *ve); bool tdx_handle_virt_exception(struct pt_regs *regs, struct ve_info *ve); -void tdx_safe_halt(void); +void tdx_halt(void); bool tdx_early_handle_ve(struct pt_regs *regs); @@ -55,7 +55,7 @@ int tdx_mcall_get_report0(u8 *reportdata, u8 *tdreport); #else static inline void tdx_early_init(void) { }; -static inline void tdx_safe_halt(void) { }; +static inline void tdx_halt(void) { }; static inline bool tdx_early_handle_ve(struct pt_regs *regs) { return false; } diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c index 5351f293f770..64128a501446 100644 --- a/arch/x86/kernel/process.c +++ b/arch/x86/kernel/process.c @@ -950,7 +950,7 @@ void select_idle_routine(const struct cpuinfo_x86 *c) static_call_update(x86_idle, mwait_idle); } else if (cpu_feature_enabled(X86_FEATURE_TDX_GUEST)) { pr_info("using TDX aware idle routine\n"); - static_call_update(x86_idle, tdx_safe_halt); + static_call_update(x86_idle, tdx_halt); } else static_call_update(x86_idle, default_idle); } -- 2.34.1

2 1

[openeuler:openEuler-1.0-LTS 1671/1671] include/linux/uaccess.h:112:17: warning: 'spallocinfo' may be used uninitialized
by kernel test robot 28 Jun '25

28 Jun '25

Hi Ding, FYI, the error/warning still remains. tree: https://gitee.com/openeuler/kernel.git openEuler-1.0-LTS head: 727e25c8c510aebd6e08b0dc39e00cb8ec0dc1e6 commit: 9469d1759c2905dcef49df7e6240ad5c32b66296 [1671/1671] ascend: share_pool: enable svm to use share pool memory config: arm64-randconfig-003-20250627 (https://download.01.org/0day-ci/archive/20250628/202506280935.rzzgWDzt-lkp@…) compiler: aarch64-linux-gcc (GCC) 12.3.0 reproduce (this is a W=1 build): (https://download.01.org/0day-ci/archive/20250628/202506280935.rzzgWDzt-lkp@…) If you fix the issue in a separate patch/commit (i.e. not just a new version of the same patch/commit), kindly add following tags | Reported-by: kernel test robot <lkp(a)intel.com> | Closes: https://lore.kernel.org/oe-kbuild-all/202506280935.rzzgWDzt-lkp@intel.com/ Note: it may well be a FALSE warning. FWIW you are at least aware of it now. http://gcc.gnu.org/wiki/Better_Uninitialized_Warnings All warnings (new ones prefixed by >>): drivers/char/svm.c:249:21: warning: no previous prototype for 'svm_find_mem_reg_node' [-Wmissing-prototypes] 249 | struct device_node *svm_find_mem_reg_node(struct device *dev, const char *compat) | ^~~~~~~~~~~~~~~~~~~~~ drivers/char/svm.c:419:6: warning: no previous prototype for 'sysrq_sched_debug_show_export' [-Wmissing-prototypes] 419 | void sysrq_sched_debug_show_export(void) | ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~ drivers/char/svm.c:1429:5: warning: no previous prototype for 'svm_get_pasid' [-Wmissing-prototypes] 1429 | int svm_get_pasid(pid_t vpid, int dev_id __maybe_unused) | ^~~~~~~~~~~~~ drivers/char/svm.c:1502:5: warning: no previous prototype for '__svm_get_mpam' [-Wmissing-prototypes] 1502 | int __svm_get_mpam(struct svm_mpam *mpam) | ^~~~~~~~~~~~~~ drivers/char/svm.c:2437:36: warning: 'svm_acpi_match' defined but not used [-Wunused-const-variable=] 2437 | static const struct acpi_device_id svm_acpi_match[] = { | ^~~~~~~~~~~~~~ In file included from drivers/char/svm.c:29: In function '_copy_from_user', inlined from 'copy_from_user' at include/linux/uaccess.h:144:7, inlined from 'svm_sp_alloc_mem' at drivers/char/svm.c:2144:8: >> include/linux/uaccess.h:112:17: warning: 'spallocinfo' may be used uninitialized [-Wmaybe-uninitialized] 112 | kasan_check_write(to, n); | ^~~~~~~~~~~~~~~~~~~~~~~~ In file included from include/linux/compiler.h:251, from arch/arm64/include/asm/memory.h:24, from arch/arm64/include/asm/esr.h:21, from drivers/char/svm.c:10: include/linux/kasan-checks.h: In function 'svm_sp_alloc_mem': include/linux/kasan-checks.h:7:6: note: by argument 1 of type 'const volatile void *' to 'kasan_check_write' declared here 7 | void kasan_check_write(const volatile void *p, unsigned int size); | ^~~~~~~~~~~~~~~~~ drivers/char/svm.c:2135:24: note: 'spallocinfo' declared here 2135 | struct spalloc spallocinfo; | ^~~~~~~~~~~ In file included from arch/arm64/include/asm/atomic.h:34, from include/linux/atomic.h:7, from include/asm-generic/bitops/atomic.h:5, from arch/arm64/include/asm/bitops.h:37, from include/linux/bitops.h:19, from include/linux/kernel.h:11, from include/asm-generic/bug.h:18, from arch/arm64/include/asm/bug.h:37, from arch/arm64/include/asm/memory.h:27: In function '__cmpxchg_case_mb_4', inlined from '__cmpxchg_mb' at arch/arm64/include/asm/cmpxchg.h:143:1, inlined from 'svm_proc_load_flag' at drivers/char/svm.c:1967:12: arch/arm64/include/asm/atomic_lse.h:492:9: warning: array subscript 'long unsigned int[0]' is partly outside array bounds of 'atomic_t[1]' [-Warray-bounds] 492 | asm volatile( \ | ^~~ arch/arm64/include/asm/atomic_lse.h:523:1: note: in expansion of macro '__CMPXCHG_CASE' 523 | __CMPXCHG_CASE(w, , mb_4, al, "memory") | ^~~~~~~~~~~~~~ drivers/char/svm.c: In function 'svm_proc_load_flag': drivers/char/svm.c:1958:25: note: object 'l2buf_load_flag' of size 4 1958 | static atomic_t l2buf_load_flag = ATOMIC_INIT(0); | ^~~~~~~~~~~~~~~ In function '__cmpxchg_case_mb_4', inlined from '__cmpxchg_mb' at arch/arm64/include/asm/cmpxchg.h:143:1, inlined from 'svm_proc_load_flag' at drivers/char/svm.c:1967:12: arch/arm64/include/asm/atomic_lse.h:492:9: warning: array subscript 'long unsigned int[0]' is partly outside array bounds of 'atomic_t[1]' [-Warray-bounds] 492 | asm volatile( \ | ^~~ arch/arm64/include/asm/atomic_lse.h:523:1: note: in expansion of macro '__CMPXCHG_CASE' 523 | __CMPXCHG_CASE(w, , mb_4, al, "memory") | ^~~~~~~~~~~~~~ drivers/char/svm.c: In function 'svm_proc_load_flag': drivers/char/svm.c:1958:25: note: object 'l2buf_load_flag' of size 4 1958 | static atomic_t l2buf_load_flag = ATOMIC_INIT(0); | ^~~~~~~~~~~~~~~ In function '_copy_from_user', inlined from 'copy_from_user' at include/linux/uaccess.h:144:7, inlined from 'svm_get_phy_memory_info' at drivers/char/svm.c:1805:6: include/linux/uaccess.h:112:17: warning: 'para' may be used uninitialized [-Wmaybe-uninitialized] 112 | kasan_check_write(to, n); | ^~~~~~~~~~~~~~~~~~~~~~~~ include/linux/kasan-checks.h: In function 'svm_get_phy_memory_info': include/linux/kasan-checks.h:7:6: note: by argument 1 of type 'const volatile void *' to 'kasan_check_write' declared here 7 | void kasan_check_write(const volatile void *p, unsigned int size); | ^~~~~~~~~~~~~~~~~ drivers/char/svm.c:1800:33: note: 'para' declared here 1800 | struct phymeminfo_ioctl para; | ^~~~ In function '_copy_from_user', inlined from 'copy_from_user' at include/linux/uaccess.h:144:7, inlined from 'svm_remap_proc' at drivers/char/svm.c:1863:8: include/linux/uaccess.h:112:17: warning: 'pmem' may be used uninitialized [-Wmaybe-uninitialized] 112 | kasan_check_write(to, n); | ^~~~~~~~~~~~~~~~~~~~~~~~ include/linux/kasan-checks.h: In function 'svm_remap_proc': include/linux/kasan-checks.h:7:6: note: by argument 1 of type 'const volatile void *' to 'kasan_check_write' declared here 7 | void kasan_check_write(const volatile void *p, unsigned int size); | ^~~~~~~~~~~~~~~~~ drivers/char/svm.c:1849:29: note: 'pmem' declared here 1849 | struct svm_proc_mem pmem; | ^~~~ In function '_copy_from_user', inlined from 'copy_from_user' at include/linux/uaccess.h:144:7, inlined from 'svm_ioctl' at drivers/char/svm.c:2217:9: include/linux/uaccess.h:112:17: warning: 'params' may be used uninitialized [-Wmaybe-uninitialized] 112 | kasan_check_write(to, n); | ^~~~~~~~~~~~~~~~~~~~~~~~ include/linux/kasan-checks.h: In function 'svm_ioctl': include/linux/kasan-checks.h:7:6: note: by argument 1 of type 'const volatile void *' to 'kasan_check_write' declared here 7 | void kasan_check_write(const volatile void *p, unsigned int size); | ^~~~~~~~~~~~~~~~~ drivers/char/svm.c:2209:33: note: 'params' declared here 2209 | struct svm_bind_process params; | ^~~~~~ In function '_copy_from_user', inlined from 'copy_from_user' at include/linux/uaccess.h:144:7, inlined from 'svm_sp_free_mem' at drivers/char/svm.c:2179:8, inlined from 'svm_ioctl' at drivers/char/svm.c:2280:9: >> include/linux/uaccess.h:112:17: warning: 'spallocinfo' may be used uninitialized [-Wmaybe-uninitialized] 112 | kasan_check_write(to, n); | ^~~~~~~~~~~~~~~~~~~~~~~~ include/linux/kasan-checks.h: In function 'svm_ioctl': include/linux/kasan-checks.h:7:6: note: by argument 1 of type 'const volatile void *' to 'kasan_check_write' declared here 7 | void kasan_check_write(const volatile void *p, unsigned int size); | ^~~~~~~~~~~~~~~~~ drivers/char/svm.c:2172:24: note: 'spallocinfo' declared here 2172 | struct spalloc spallocinfo; | ^~~~~~~~~~~ vim +/spallocinfo +112 include/linux/uaccess.h d597580d373774 Al Viro 2017-03-20 104 d597580d373774 Al Viro 2017-03-20 105 #ifdef INLINE_COPY_FROM_USER d597580d373774 Al Viro 2017-03-20 106 static inline unsigned long d597580d373774 Al Viro 2017-03-20 107 _copy_from_user(void *to, const void __user *from, unsigned long n) d597580d373774 Al Viro 2017-03-20 108 { d597580d373774 Al Viro 2017-03-20 109 unsigned long res = n; 9c5f6908de03a4 Al Viro 2017-06-29 110 might_fault(); 4983cb67a383a7 Linus Torvalds 2019-02-14 111 if (likely(access_ok(from, n))) { 9c5f6908de03a4 Al Viro 2017-06-29 @112 kasan_check_write(to, n); d597580d373774 Al Viro 2017-03-20 113 res = raw_copy_from_user(to, from, n); 9c5f6908de03a4 Al Viro 2017-06-29 114 } d597580d373774 Al Viro 2017-03-20 115 if (unlikely(res)) d597580d373774 Al Viro 2017-03-20 116 memset(to + (n - res), 0, res); d597580d373774 Al Viro 2017-03-20 117 return res; d597580d373774 Al Viro 2017-03-20 118 } d597580d373774 Al Viro 2017-03-20 119 #else d597580d373774 Al Viro 2017-03-20 120 extern unsigned long d597580d373774 Al Viro 2017-03-20 121 _copy_from_user(void *, const void __user *, unsigned long); d597580d373774 Al Viro 2017-03-20 122 #endif d597580d373774 Al Viro 2017-03-20 123 :::::: The code at line 112 was first introduced by commit :::::: 9c5f6908de03a4f52ba7364b11fcd6116225480c copy_{from,to}_user(): move kasan checks and might_fault() out-of-line :::::: TO: Al Viro <viro(a)zeniv.linux.org.uk> :::::: CC: Al Viro <viro(a)zeniv.linux.org.uk> -- 0-DAY CI Kernel Test Service https://github.com/intel/lkp-tests/wiki

1 0

[PATCH OLK-5.10] fs/ntfs3: Fix NULL deref in ntfs_update_mftmirr
by Jiacheng Yu 28 Jun '25

28 Jun '25

From: <yujiacheng3(a)huawei.com> From: Pavel Skripkin <paskripkin(a)gmail.com> mainline inclusion from mainline-v6.0-rc2 commit 321460ca3b55f48b3ba6008248264ab2bd6407d9 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ICG6RW CVE: CVE-2022-50057 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?… -------------------------------- If ntfs_fill_super() wasn't called then sbi->sb will be equal to NULL. Code should check this ptr before dereferencing. Syzbot hit this issue via passing wrong mount param as can be seen from log below Fail log: ntfs3: Unknown parameter 'iochvrset' general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] CPU: 1 PID: 3589 Comm: syz-executor210 Not tainted 5.18.0-rc3-syzkaller-00016-gb253435746d9 #0 ... Call Trace: <TASK> put_ntfs+0x1ed/0x2a0 fs/ntfs3/super.c:463 ntfs_fs_free+0x6a/0xe0 fs/ntfs3/super.c:1363 put_fs_context+0x119/0x7a0 fs/fs_context.c:469 do_new_mount+0x2b4/0xad0 fs/namespace.c:3044 do_mount fs/namespace.c:3383 [inline] __do_sys_mount fs/namespace.c:3591 [inline] Fixes: 82cae269cfa9 ("fs/ntfs3: Add initialization of super block") Reported-and-tested-by: syzbot+c95173762127ad76a824(a)syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin <paskripkin(a)gmail.com> Signed-off-by: Konstantin Komarov <almaz.alexandrovich(a)paragon-software.com> Signed-off-by: Jiacheng Yu <yujiacheng3(a)huawei.com> Reviewed-by: Zhihao Cheng <chengzhihao1(a)huawei.com> --- fs/ntfs3/fsntfs.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fs/ntfs3/fsntfs.c b/fs/ntfs3/fsntfs.c index 0089f448f4f8..210799c6b3bf 100644 --- a/fs/ntfs3/fsntfs.c +++ b/fs/ntfs3/fsntfs.c @@ -831,10 +831,15 @@ int ntfs_update_mftmirr(struct ntfs_sb_info *sbi, int wait) { int err; struct super_block *sb = sbi->sb; - u32 blocksize = sb->s_blocksize; + u32 blocksize; sector_t block1, block2; u32 bytes; + if (!sb) + return -EINVAL; + + blocksize = sb->s_blocksize; + if (!(sbi->flags & NTFS_FLAGS_MFTMIRR)) return 0;

2 5